The setup and flow ...
- We have our company website hosted on domain A (say abc.com). This is not java based
- We have our software product (cloud hosted) on domain B (def.com). Tomcat based web application (JSP, Servlet, Ajax, Dojo)
- On company website (abc.com) have an marketing page within that there is an IFrame which loads user-self-registration.jsp page from our product (def.com).
- Since the user-self-reg.jsp page is java based, when the marketing page is opened in browser, the URL opened via IFrame drops a jsessionID cookie on the browser. The domain of the cookie is same def.com.
- Once the user-self-reg.jsp form is filled and data submitted to def.com (tomcat server) via Ajax call.
# My Observations
- When every time I refresh the marketing page - the dropped response cookie value is different, although I am still on same browser window. Whereas if I open the user-self-reg.jsp page directly from def.com, the cookie value never changed until I close my browser window.
- The Ajax call supposed to carry jsessionID cookie through request headers but, it is not sent from the browser. Due to this, some context related info which is set on the session attribute is not reachable on the server side. Whereas when user-self-reg.jsp is directly opened from def.com, the Ajax call sends jsessionId cookie through request cookies.
Dropped Cookie details from def.com (user-self-reg.jsp page)
# My Questions
Why is the jsessionId is changed for every page refresh (marketing page) ?
Why is the JsessionID cookie is not sent on Ajax request calls. I do not have any business with the abc.com. All I do is, drop cookie from def.com and expecting it to send to same domain when Ajax call is made.
Is this something to do with Cross Domain etc ?
# What I want
I want JSESSIONID cookie to be sent on Ajax call via request headers. How do I achieve this, I am ready to make changes on tomcat configurations or application code.
How to set the Samesite=None for the jsessionID cookie. This seems like a main issue.